Sender callouts are most emphatically *NOT* good, though. Consider the effect on my mailserver when all 100000 sites on the internet that someone has sent spam to (with my server faked as the sender) attempt to connect to me to verify the account exists. It’s just about as bad as if they were sending DSNs!

And sometimes it’s worse, because some mailservers seem to keep the connection open for a while…I guess just in case they need to send more callouts or something.

This isn’t a theoretical concern: Just last week I had this happen and had to reconfigure my server to allow 500 (vs 20) exim processes, and decrease the idle disconnect delay to 30s.

And, sorry to say, before last week I also though sender callouts were a good idea. (sorry to everyone’s mailservers I unthinkingly helped DOS) :(

The sites I know of that use sender callouts do so very carefully. For instance, they do greylisting *first*, and only do the sender callout later after the greylist passes; thus, illegitimate mail servers won’t trigger the callout in the first place. They also only do a callout *once* for a given address (much like greylisting, pass or fail gets remembered), and they delay a random amount for callouts. IIRC they take a few other measures I’ve forgotten about as well.

I can certainly understand that badly done server callouts can cause problems. That doesn’t make the technique inherently bad.

Where a scheme for rewriting MAIL FROM such that your mailserver can authenticate real bounces is described, including exim configuration fragments.

Don’t be too confused by its mentions of SRS and SPF — that was just the inspiration and original impetus for building the system. The configuration is actually a stand-alone bounce-authentication system.

Spamassassin has an option (whitelist_bounce_relays option) that tries to detect bounces. If you alreay use spamassassin for mail filtering you could use that. I use it to filter DSNs to a separate folder.

I configured my mail server to reject mail if the source address would not accept a DSN (by the sender verify feature of exim). But if you do that, you’ll end up in yet other blacklists… (sorry, lost the reference to the black list provider)